{"id":"MGASA-2020-0332","summary":"Updated squid packages fix security vulnerability","details":"Due to use of a potentially dangerous function Squid and the default\ncertificate validation helper are vulnerable to a Denial of Service attack when\nprocessing TLS certificates. This attack is limited to Squid built with OpenSSL\nfeatures and opening peer or server connections for HTTPS traffic and SSL-Bump\nserver handshakes (CVE-2020-14058).\n\nDue to incorrect input validation Squid is vulnerable to a Request Smuggling\nand Poisoning attack against the HTTP cache. This attack requires an upstream\nserver to participate in the smuggling and generate the poison response\nsequence. Most popular server software are not vulnerable to participation in\nthis attack (CVE-2020-14059).\n","modified":"2026-02-04T02:54:47.357472Z","published":"2020-08-18T18:47:25Z","related":["CVE-2020-14058","CVE-2020-14059"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2020-0332.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=26884"},{"type":"REPORT","url":"http://www.squid-cache.org/Advisories/SQUID-2020_6.txt"},{"type":"REPORT","url":"https://github.com/squid-cache/squid/security/advisories/GHSA-qf3v-rc95-96j5"}],"affected":[{"package":{"name":"squid","ecosystem":"Mageia:7","purl":"pkg:rpm/mageia/squid?arch=source&distro=mageia-7"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.12-2.mga7"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2020-0332.json"}}],"schema_version":"1.7.3","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}